[OE-core][scarthgap 02/12] python3: update CVE product

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][scarthgap 02/12] python3: update CVE product
Date: Wed, 16 Jul 2025 19:58:50 -0700	[thread overview]
Message-ID: <72369cd66f78a371608c3fff205e0e96c248f2b3.1752721028.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1752721028.git.steve@sakoman.com>

From: Peter Marko <peter.marko@siemens.com>

There are two "new" CVEs reported for python3, their CPEs are:
* CVE-2020-1171: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
* CVE-2020-1192: cpe:2.3:a:microsoft:python:*:*:*:*:*:visual_studio_code:*:* (< 2020.5.0)
These are for "Visual Studio Code Python extension".

Solve this by addding CVE vendor to python CVE product to avoid
confusion with Microsoft as vendor.

Examining CVE DB for historical python entries shows:
sqlite> select vendor, product, count(*) from products where product = 'python' or product = 'cpython'
   ...> or product like 'python%3' group by vendor, product;
microsoft|python|2
python|python|1054
python_software_foundation|python|2

Note that this already shows that cpython product is not used, so
CVE-2023-33595 mentioned in 62598e1138f21a16d8b1cdd1cfe902aeed854c5c
was updated.
But let's keep it for future in case new CVE starts with that again.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-devtools/python/python3_3.12.11.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/python/python3_3.12.11.bb b/meta/recipes-devtools/python/python3_3.12.11.bb
index 706dabb5cd..84c4f74158 100644
--- a/meta/recipes-devtools/python/python3_3.12.11.bb
+++ b/meta/recipes-devtools/python/python3_3.12.11.bb
@@ -45,7 +45,7 @@ SRC_URI[sha256sum] = "c30bb24b7f1e9a19b11b55a546434f74e739bb4c271a3e3a80ff4380d4
 # exclude pre-releases for both python 2.x and 3.x
 UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"
 
-CVE_PRODUCT = "python cpython"
+CVE_PRODUCT = "python:python python_software_foundation:python cpython"
 
 CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
 CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
-- 
2.43.0

next prev parent reply	other threads:[~2025-07-17  2:59 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-17  2:58 [OE-core][scarthgap 00/12] Patch review Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 01/12] libxml2: fix CVE-2025-49794 & CVE-2025-49796 Steve Sakoman
2025-07-17  2:58 ` Steve Sakoman [this message]
2025-07-17  2:58 ` [OE-core][scarthgap 03/12] busybox: apply patch for CVE-2023-39810 Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 04/12] iputils: patch CVE-2025-48964 Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 05/12] gdk-pixbuf: fix CVE-2025-7345 Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 06/12] git: Upgrade 2.44.3 -> 2.44.4 Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 07/12] Revert "sudo: Fix CVE-2025-32462" Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 08/12] sudo: upgrade 1.9.15p5 -> 1.9.17p1 Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 09/12] binutils: stable 2.42 branch updates Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 10/12] kea: set correct permissions for /var/run/kea Steve Sakoman
2025-07-17  2:58 ` [OE-core][scarthgap 11/12] timedated: wait for jobs before SetNTP response Steve Sakoman
2025-07-17  2:59 ` [OE-core][scarthgap 12/12] oe-debuginfod: add option for data storage Steve Sakoman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:706dabb5c dfblob:84c4f7415 )
 OR (
bs:"[OE-core][scarthgap 02/12] python3: update CVE product" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=72369cd66f78a371608c3fff205e0e96c248f2b3.1752721028.git.steve@sakoman.com \
    --to=steve@sakoman.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox